orank's own fix text: "If anonymous-only is correctβ¦ consider publishing a minimal PRM that explicitly signals anonymous-only access." This stays honest β empty arrays are the truth, not stubs.
GET /.well-known/oauth-protected-resource { "resource": "https://orchestkit.yonyon.ai", "authorization_servers": [], β no AS exists (truth) "scopes_supported": [], "bearer_methods_supported": [], β no bearer token ever read (truth) "resource_documentation": "https://orchestkit.yonyon.ai/auth.md", "resource_policy_uri": "https://orchestkit.yonyon.ai/api-policy.md" } still 404 by design: /.well-known/oauth-authorization-server β RFC 8414 metadata for a nonexistent authorization server would be a lie. still forfeited: WWW-Authenticate 401 hint β a public API returning 401s would be a lie.
auth.md updated: Discover rewritten around the PRM, live sample payloads, registration walkthrough declared N/A by design, anonymous = sole identity type. Targets: oauth-protected-resource (+2), walkthrough (+2), agent-auth-discovery (partial of 3), auth-md-structure (+1).